Token endpoint
To obtain an Access Token, an ID Token, and optionally a Refresh Token, the RP (Client) sends a Token Request to the Token Endpoint to obtain a Token Responses.
Request URL:
https://identify.safewhere.com/runtime/oauth2/token.idp
URI parameters:
Parameter | Description |
---|---|
client_id | The client identifier (required) |
client_secrect | The client secret (optional) |
grant_type | The grant type of the flow (required). We support one of the values: authorization_code / client_credentials / password /refresh_token / urn:ietf:params:oauth:grant-type:device_code |
scope | one or more registered scopes (optional) |
redirect_uri | The redirect_uri to the client (optional). It's required when the grant_type is authorization_code |
code | The authorization code received from the authorization server. It's required when the grant_type is authorization_code |
code_verifier | PKCE proof key |
username | The Identify username. It's required the when grant_type is password |
password | The Identify password. It's required when the grant_type is password |
refresh_token | The refresh_token. It's required when the grant_type is refresh_token |
device_code | The device code. It's required when the grant_type is urn:ietf:params:oauth:grant-type:device_code |
client_assertion | The client assertion. It's required when you use private_key_jwt as its client authentication method |
client_assertion_type | The client assertion type. It's required when you use private_key_jwt as its client authentication method |
resource | Indicates the target service or resource to which access is being requested (Optional). Multiple resource parameters MAY be used to indicate that the requested token is intended for multiple resources. - Its value MUST be an absolute URI. - The URI MUST NOT include a fragment component. - It SHOULD NOT include a query component. - Its value must be one of the configured Security token audiences. If the request includes a resource parameter, the resulting JWT access token's aud claim SHOULD have the same value as the resource parameter in the request. |
Additional rules validation
AdditionalValidationRules
is an additional setting for the OIDC connection that lets you customize validation rules. This includes defining required parameters, setting required response claims, and prohibited response claims for the token endpoint.
The value for AdditionalValidationRules
is provided in JSON format:
{
...
"token": {
"requiredParameters" : "",
"requiredResponseClaims" : "auth_time",
"prohibitedResponseClaims": "nbf"
}
}
requiredParameters
: defines a comma-separated list of required parameters to validate against the received parameters in the token request.requiredResponseClaims
: defines a list of required claims in the token response. Note that this setting currently only supports requiring theauth_time
claim.prohibitedResponseClaims
defines a list of prohibited claims in the token response. Note that this setting currently only supports prohibiting thenbf
claim andname
claim.
Token signing
There are two settings on the OAuth/OIDC connection to specify the algorithm for token signing: JWS algorithm
and Id token signing algorithm
.
- Access token: If the
JWS algorithm
is set toRSA Signing
, theID token signing algorithm
(if specified) is used to sign the access token. Otherwise, the signing method defaults toNone
orHMACSymmetric
. - Id token: The
ID token signing algorithm
is always used to sign the ID token. Its default value isRS256
.